|
Hi, There seems to be a bug in check_revocation()
(file: x509_vfy.c). In order to check a cert against a CRL chain (i.e., multiple CRLs) the flag to be used is X509_V_FLAG_CRL_CHECK_ALL.
However, the function check_revocation() is encoded as follows: if (ctx->flags &
X509_V_FLAG_CRL_CHECK_ALL) last = 0; else last = sk_X509_num(ctx->chain)
- 1; As a result, the function always checks only 1 CRL (the first CRL in
the stack). I believe that the check should be written as if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL) last = sk_X509_num(ctx->chain)
- 1; else last = 0; I am using OpenSSL 0.9.7 but, the function is
implemented in the same way in 0.9.7a too. Please let me know whether this is indeed a bug or whether I missed
something. Thanks and Regards, Reshma Mistry. Systems Engineer, Siemens Information Systems Limited |
<<attachment: image001.jpg>>
